fix(authentication): erroneously escaped group base dn (#4288)

The BaseDN for groups was escaped improperly and failed on any BaseDN with special characters. This fixes the issue.

internal/authentication/ldap_user_provider.go

@@ -126,21 +126,24 @@ func (p *LDAPUserProvider) GetDetails(username string) (details *UserDetails, er
 	}
 
 	var (
-		filter  string
 		request *ldap.SearchRequest
 		result  *ldap.SearchResult
 	)
 
-	if filter, err = p.resolveGroupsFilter(username, profile); err != nil {
-		return nil, fmt.Errorf("unable to create group filter for user '%s'. Cause: %w", username, err)
-	}
-
 	// Search for the users groups.
 	request = ldap.NewSearchRequest(
 		p.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
-		0, 0, false, filter, p.groupsAttributes, nil,
+		0, 0, false, p.resolveGroupsFilter(username, profile), p.groupsAttributes, nil,
 	)
 
+	p.log.
+		WithField("base_dn", request.BaseDN).
+		WithField("filter", request.Filter).
+		WithField("attr", request.Attributes).
+		WithField("scope", request.Scope).
+		WithField("deref", request.DerefAliases).
+		Trace("Performing group search")
+
 	if result, err = p.search(client, request); err != nil {
 		return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err)
 	}
@@ -318,14 +321,20 @@ func (p *LDAPUserProvider) searchReferrals(request *ldap.SearchRequest, result *
 }
 
 func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (profile *ldapUserProfile, err error) {
-	userFilter := p.resolveUsersFilter(username)
-
 	// Search for the given username.
 	request := ldap.NewSearchRequest(
 		p.usersBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
-		1, 0, false, userFilter, p.usersAttributes, nil,
+		1, 0, false, p.resolveUsersFilter(username), p.usersAttributes, nil,
 	)
 
+	p.log.
+		WithField("base_dn", request.BaseDN).
+		WithField("filter", request.Filter).
+		WithField("attr", request.Attributes).
+		WithField("scope", request.Scope).
+		WithField("deref", request.DerefAliases).
+		Trace("Performing user search")
+
 	var result *ldap.SearchResult
 
 	if result, err = p.search(client, request); err != nil {
@@ -398,7 +407,7 @@ func (p *LDAPUserProvider) resolveUsersFilter(username string) (filter string) {
 	return filter
 }
 
-func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUserProfile) (filter string, err error) { //nolint:unparam
+func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUserProfile) (filter string) {
 	filter = p.config.GroupsFilter
 
 	if p.groupsFilterReplacementInput {
@@ -418,7 +427,7 @@ func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUse
 
 	p.log.Tracef("Computed groups filter is %s", filter)
 
-	return filter, nil
+	return filter
 }
 
 func (p *LDAPUserProvider) modify(client LDAPClient, modifyRequest *ldap.ModifyRequest) (err error) {

internal/authentication/ldap_user_provider_startup.go

@@ -130,7 +130,7 @@ func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() {
 	}
 
 	if p.config.AdditionalGroupsDN != "" {
-		p.groupsBaseDN = ldap.EscapeFilter(p.config.AdditionalGroupsDN + "," + p.config.BaseDN)
+		p.groupsBaseDN = p.config.AdditionalGroupsDN + "," + p.config.BaseDN
 	} else {
 		p.groupsBaseDN = p.config.BaseDN
 	}

internal/authentication/ldap_user_provider_test.go

@@ -120,10 +120,10 @@ func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) {
 		Emails:      []string{"john.doe@authelia.com"},
 	}
 
-	filter, _ := ldapClient.resolveGroupsFilter("john", &profile)
+	filter := ldapClient.resolveGroupsFilter("john", &profile)
 	assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john))", filter)
 
-	filter, _ = ldapClient.resolveGroupsFilter("john#=(abc,def)", &profile)
+	filter = ldapClient.resolveGroupsFilter("john#=(abc,def)", &profile)
 	assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john\\#\\=\\28abc\\,def\\29))", filter)
 }